Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 26.0.0
-
Fix Version/s: Meridian-2018.1.18, Meridian-2019.1.6, 26.0.1
-
Component/s: Architecture, Minion
-
Security Level: Default (Default Security Scheme)
-
Environment:DockerHub image
-
Sprint:Horizon 2020 - April 15th
Description
The disclosing researcher writes:
I began to have a look at your software (suite) OpenNMS. Yesterday, I found that one could get Remote Code Execution (RCE) via malicious MQ messages
on the Horizon base station from a remote machine with minion credentials. At least that was the case I found quickly to be valid with respect to the role model.
Find attached a short write-up describing a little bit more on the exploitation steps.
The referenced write-up is included as a PDF attachment.